doc(jans-auth-server): put more info about token related configuratio…

…n properties #3680 (#3681)

* doc(jans-auth-server): put more info about token related configuration properties

#3680

* doc(jans-auth-server): put more info about token related configuration properties

#3680

docs/admin/auth-server/endpoints/introspection.md

@@ -18,11 +18,15 @@ introspection](https://datatracker.ietf.org/doc/html/rfc7662) specifications.
 The URI to invoke the introspection endpoint in Janssen Server 
 can be found by checking the `introspection_endpoint` claim of the OpenID Connect configuration response, typically deployed at `https://janssen.server.host/.well-known/openid-configuration`
 
-` "introspection_endpoint" : "https://janssen.server.host/jans-auth/restv1/introspection" `
+ "introspection_endpoint" : "https://janssen.server.host/jans-auth/restv1/introspection" `
 
 More information about request and response of the Introspection endpoint can be found in
 the OpenAPI specification of [jans-auth-server module](https://gluu.org/swagger-ui/?url=https://raw.githubusercontent.com/JanssenProject/jans/vreplace-janssen-version/jans-auth-server/docs/swagger.yaml#/Token/get-introspection).
 
+**Request parameters**
+- `token` - REQUIRED.  The string value of the token.  For access tokens, this is the "access_token" value returned from the token endpoint
+- `token_type_hint` - OPTIONAL.  A hint about the type of the token submitted for introspection. Not used in current implementation of the AS. 
+- `response_as_jwt` - OPTIONAL. Boolean value with default value false. If true, returns introspection response as JWT (signed based on client configuration used for authentication to Introspection Endpoint).
 
 ## Sample GET Request
 
@@ -86,6 +90,8 @@ curl -X 'POST' \
 }
 ```
 
+## Response as JWT
+
 ## Disabling The Endpoint Using Feature Flag
 
 `/introspection` endpoint can be enabled or disable using [END_SESSION feature flag](../../reference/json/feature-flags/janssenauthserver-feature-flags.md#introspection).

docs/admin/auth-server/endpoints/token-revocation.md

@@ -54,3 +54,16 @@ navigate via `Auth Server`->`Properties`.
 - [mtlstokenrevocationendpoint](../../reference/json/properties/janssenauthserver-properties.md#mtlstokenrevocationendpoint)
 - [tokenRevocationEndpoint](../../reference/json/properties/janssenauthserver-properties.md#tokenrevocationendpoint)
 
+## Revoke all tokens by `client_id`
+
+To remove all tokens for given `client_id` it's required:
+- set `allowAllValueForRevokeEndpoint` AS configuration property to `true`
+- pass in request parameter `token_type_hint=all`
+
+`client` is identified by Client Authentication performed by AS to grant access to `/revoke` endpoint.
+
+## Revoke Interception Script
+
+Endpoint can provide custom behavior via implementing Revoke Token interception [script](../../developer/scripts/revoke-token.md).
+
+

docs/admin/auth-server/tokens/oauth-access-tokens.md

@@ -77,7 +77,7 @@ Auth Server interception scripts. The preferred script is the
 [update token script](../../developer/scripts/update-token.md). You can
 also use the [introspection script](../../developer/scripts/introspection.md).
 
-### Access Token Crypto
+### Access Token Crypto (JWT)
 
 JWT access tokens are signed by Jans Auth Server using
 algorithms specified in the `access_token_signing_alg_values_supported`
@@ -86,16 +86,50 @@ signed with the standard OpenID signing key.
 
 Jans Auth Server supports TLS client certificate bound access tokens. After
 a successful mutual TLS client authentication, Jans Auth Server encodes the
-client certificate thumbprint (hash) in `cnf` claim of the JWT or introspection
+client certificate thumbprint (hash) in `x5t#S256` confirmation method of the JWT or introspection
 JSON. Assuming the client uses the same certificate to establish a mutual TLS
 session with the API, the thumbprint in the access token can verify that this
 is the same client that obtained the access token. This feature is typically
 used in high security environments, as the operational cost of mutual TLS is
 material.
 
+Decoded JWT example
+```json
+{
+  "iss": "https://server.example.com",
+  "sub": "ty.webb@example.com",
+  "exp": 1493726400,
+  "nbf": 1493722800,
+  "cnf":{
+    "x5t#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2"
+  }
+}
+```
+
+Sample introspection response
+```json
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "active": true,
+  "iss": "https://server.example.com",
+  "sub": "ty.webb@example.com",
+  "exp": 1493726400,
+  "nbf": 1493722800,
+  "cnf":{
+    "x5t#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2"
+  }
+}
+```
+
 ### Server and Client configurations
 
 Access token lifetime is configurable at the server level via the
 `accessTokenLifetime` property. However, a client can override this value
 during client registration with the `access_token_lifetime` request
 parameter.
+
+### Revoke Access Token
+
+Access token can be revoked via [Revoke Endpoint](../endpoints/token-revocation.md)

docs/admin/auth-server/tokens/oauth-refresh-tokens.md

@@ -32,20 +32,21 @@ to issue a refresh token.
 token.
 
 `removeRefreshTokensForClientOnLogout`
-: *Default: True* - Explicit logout is different then timeout, so if the
-subject has initiated a logout, you may want to also remove all the refresh
-tokens for that client. **todo**
+: *Default: True* - Boolean value specifying whether to remove Refresh Tokens on logout. 
+However if intention is to leave Refresh Token after logout, it's required to set it to `false`.
 
 `skipRefreshTokenDuringRefreshing`
-: *Default: False* - **todo**
+: *Default: False* - Boolean value specifying whether to skip refreshing tokens on refreshing. 
+By default AS always creates new Refresh Token on refresh call to Token Endpoint. This property allows to avoid (skip) new Refresh Token creation.
 
 `refreshTokenExtendLifetimeOnRotation`
-: *Default: False* - **todo**
+: *Default: False* - Boolean value specifying whether to extend refresh tokens on rotation. By default lifetime is not extended, expiration date is set to date of previous Refresh Token. With this property it's possible to have all further Refresh Token have fixed (extended in relation to previuos Refresh Token) lifetime. 
 
 `checkUserPresenceOnRefreshToken`
-: *Default: False* - **todo**
+: *Default: False* - Check whether user exists and is active before creating RefreshToken. Set it to true if check is needed(Default value is false - don't check.
 
 ### Refresh Token Management
 
-To revoke a token, a client can do so via the [revocation endpoint][../endpoints/token-revocation]. In order to get a list of refresh tokens outstanding by the AS:
-**todo**.
+To revoke a token, a client can do so via the [revocation endpoint][../endpoints/token-revocation] (including revocation of all tokens by `client_id`).
+
+

jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java

@@ -674,7 +674,7 @@ public class AppConfiguration implements Configuration {
     @DocProperty(description = "Boolean value specifying whether to return detailed reason of the error from AS. Default value is false", defaultValue = "false")
     private Boolean errorReasonEnabled = false;
 
-    @DocProperty(description = "Boolean value specifying whether to remove Refresh Tokens on logout. Default value is false", defaultValue = "true")
+    @DocProperty(description = "Boolean value specifying whether to remove Refresh Tokens on logout. Default value is true", defaultValue = "true")
     private Boolean removeRefreshTokensForClientOnLogout = true;
 
     @DocProperty(description = "Boolean value specifying whether to skip refreshing tokens on refreshing", defaultValue = "false")